Skip to main content

FOSSBilling EUVDEUVD-2026-39096

| CVE-2026-33543 CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-06-24 security-advisories@github.com
9.3
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Single unauthenticated network request creates a full admin account (PR:N/UI:N/AC:L), granting complete control over the application, so confidentiality, integrity, and availability are all High.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 24, 2026 - 22:03 EUVD
Source Code Evidence Fetched
Jun 24, 2026 - 21:36 vuln.today
Analysis Generated
Jun 24, 2026 - 21:36 vuln.today

DescriptionCVE.org

FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an administrator already exists. The flawed guard check uses is_countable() on a value that returns a Model_Admin object or null rather than a countable type, causing the expression to always evaluate as true and bypass the intended protection. As a result, an attacker can reach the unprotected endpoint to create a new administrator account and immediately authenticate, gaining a fully privileged admin session even when an admin already exists. This issue has been fixed in version 0.8.0.

AnalysisAI

Authentication bypass in FOSSBilling 0.7.2 and earlier lets remote unauthenticated attackers create a fully privileged administrator account through the guest bootstrap endpoint /api/guest/staff/create, which fails to lock after the first admin exists. Because the account can immediately authenticate, this yields complete takeover of the billing and client-management platform. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate internet-exposed FOSSBilling instance
Delivery
POST to /api/guest/staff/create
Exploit
Bypass broken is_countable admin guard
Execution
Create attacker-controlled admin account
Persist
Authenticate as new admin
Impact
Full control of billing platform

Vulnerability AssessmentAI

Exploitation The required condition is simply that a FOSSBilling instance at version 0.7.2 or earlier is network-reachable with the guest API enabled and the /api/guest/staff/create endpoint accessible - the default state of an installed instance. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to high real-world risk for exposed instances. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers an internet-exposed FOSSBilling instance (0.7.2 or earlier) and sends a single crafted POST request to /api/guest/staff/create supplying their own chosen credentials. Despite an administrator already existing, the broken guard accepts the request and creates a new admin account, after which the attacker logs in to obtain a fully privileged admin session and controls billing data, customers, and configuration. …
Remediation Vendor-released patch: upgrade to FOSSBilling 0.8.0, which corrects the admin-existence check and refactors the guest API routes to expose less publicly. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Immediately restrict network access to FOSSBilling instances (firewall/VPN only) or deploy WAF rules blocking POST requests to /api/guest/staff/create. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39096 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy